Posted
by
timothy
on Thursday December 05, 2013 @11:15AM
from the reasonable-man-standards dept.

DavidGilbert99 writes "The founder of eBay, the parent company of PayPal, Pierre Omidyar has called on U.S. prosecutors to have mercy on the 14 members of Anonymous who are appearing in court this week facing up to 15 years in jail and a $500,000 fine for their part in a DDoS attack against PayPal in 2010. Despite thousands of Anons taking part, and most of the damage being done by two major botnets, the 14 are set to bear all the responsibility if U.S. prosecutors have their way."

Right now what they did does seem illegal hooliganism, as does most civil disobedience. Sometimes society adapts to see things differently. For now this is still hooliganism. I think they need to show a compelling good coming out of this if they expect a different response. The question is, what good would that be?

They all used Anons ddos app. It doesn't disguise your IP or anything. The point of it is, this is supposed to be a type of protest. I doubt there were any leaders in this case. 1 dude just pointed the application at the target and everyone else just ran the client for a few minutes. It's insane that this is illegal. This should be entirely a civil matter. Your ISP should ban you or you should be subject to a civil suit. But criminal charges? This is clearly a protest. Sounds like it was a hippie protest to me, and I hate hippies. But if we throw them in jail for bitching now, what's going to happen to all us non-hippies when we decide to bitch?

Let's posit that this was a civil action not a criminal action. at what point do actions like this become criminal? For this they took a payment system offline. what if they took the NYSE stock exchange offline? what if they took a powerplant offline? (this may require other tools not just DDOS, but let's assume it was also accomplished by a large group of people as a form of protest).

surely at some point it crosses the line to illegal actions. where is it?

Let's posit that this was a civil action not a criminal action. at what point do actions like this become criminal? For this they took a payment system offline. what if they took the NYSE stock exchange offline? what if they took a powerplant offline? (this may require other tools not just DDOS, but let's assume it was also accomplished by a large group of people as a form of protest).

Let's say I send a strongly worded letter of protest to the NYSE stock exchange. Is this illegal? Now suppose 9,999,999 oth

Same old, same old. Permanent damage, permanent denial of access. So when it comes to a comparison with a brick and mortar presence. Dumping a load of rubble onto their driveway, well, actually disappearing rubble, as it cleans itself up as soon as it stops. So it temporarily stops access of customers to the store and highlights the reason for the protest. So typically a minor fine, for their specific activity and not for associated activity. So in this case they didn't dump a truck full of self removing r

I disagree w/ the GP. It's reasonable that this is illegal, but... "up to 15 years in jail and a $500,000 fine" is insane. Get a good lawyer, and you can probably get away with less for murder. Armed robbery? Piece of cake. Yes I know they haven't been sentenced yet, but just the threat of sentences like that is absurd. It takes it from the government prosecuting a crime (in which no one was injured and even the founder of the "victim" company is asking for leniency) to the government saying "we can do whatever we like to you". Whole different animal. The first is a legitimate function of the government, and the latter is a step towards authoritarianism.

As for damage, FTA:

PayPal's website was down for an hour on 8 December and another brief period on 9 December. The company estimates the damage caused by the attack was $5.5 million

That $5.5M was probably calculated in the absurd way that such business losses are usually calculated. For example, if someone steals the source to a proprietary OS, then even if they do nothing with it, the "cost" is calculated as the entire cost of developing the OS. Right, they never made any sales and will never make any sales in the future.

The selective prosecution aspect of it is absurd too. Forget the fact that they're only prosecuting 14 of the participants. Search on "William K. Black". Far from being some fringe character, he was a major official the the OCC (Office of the Controller of the Currency - one of the banking regulators) when the S&L crisis blew up. He helped establish the case law on control fraud, and they obtained over 1000 criminal convictions. He's the ultimate "been there, done that, hence speak with authority" kind of guy. According to Black (many other knowledgeable people think this as well), the more recent financial meltdown, which makes the S&L crisis look like petty theft, has all the hallmarks of the same type of control fraud. Number of convictions for control fraud: 0. Number of attempted prosecutions: 0. Now that's selective. You don't really expect me to have any respect for federal prosecutors, or more importantly their past or current bosses, do you?

Why is it insane that it is illegal? This isn't just boycotting and picketing, it is intentionally and forcefully preventing others from doing business. Protesting is fine, but when you stop a business from doing any business by shutting down their website, that isn't just protesting. It would be like standing outside a store you don't like and stopping anyone that wants to go inside to shop. That, too, is illegal.

Not always. Depends on how exactly you do it. Sure, you can't physically prevent people from entering the store. But that's not like a DDoS, that's like cutting the network cable. A DDoS is like asking a ton of people to go to the store and not buy anything. Maybe fill up carts and abandon them at the register. Which is completely legal -- at least until they ask you to leave. But even then you'd get arrested to trespassing, NOT for disrupting business.

Yes, it would just be awesome to live in a world where websites could disappear without notice because some activist didn't like something they said.

I really don't get this mentality on slashdot that DDoS is civil disobedience. It isn't. It's censorship. A sit in allows the speaker to still be able to speak, a DDoS on the other hand is like the gestapo coming in and taking you away because you said something they didn't like. If there was no recourse for it, then how the fuck is the internet supposed to las

No it would be awesome to live in a world where protesters would only be allowed to protest in a convenient place where they didn't bother anyone else. Maybe designated "free speech" zones where they won't disturb the rest of us who need to sleep, go to work, go shopping etc.

Anyone who protested elsewhere and disturbed other people should get 15 years in jail and a $500,000 fine.

I am not particularly fond of the extent of the punishment, but I am certainly in favor of your idea about limiting protests to areas where they do not disturbing people that are not interested in hearing them. Free speech is the right to say stuff, not the right to make people listen to you by force.

I really don't get this mentality on slashdot that DDoS is civil disobedience. It isn't. It's censorship. A sit in allows the speaker to still be able to speak, a DDoS on the other hand is like the gestapo coming in and taking you away because you said something they didn't like.

Wrong and wrong. The entire point of sit-ins is to be a denial of service attack. Look at the lunch counter sit-ins of the US civil rights movements. Yes, the point was just to sit there until they were served -- but in doing so they were preventing other customers from being served as well. Two people at a sit-in is not a DoS; twenty people is. Same here. A dozen Anon members could hammer the site all day long and nothing would happen -- the DoS only comes with a large mass of people. Even a public march i

Now if the Union Leaders tried to keep a peaceful strike. That is one thing.This isn't a strike it was planed malicious attack.

Also Civil disobedience isn't protected by law. It means you are breaking the law for a cause. Now that you are going to break the law, you get caught you will face the penalty.Now if society feels your disobedience was worth it, you will be a marter for your cause, and cause future laws to be changed. However for the most part you will still be in jail.

Its odd how online activism is treated much differently than that which occurs in meatspace. Many protests occur in real life where access to buildings or simply roads are blocked yet the treatment of the two types protestors is very different.

The difference between a protest and a DDoS is that the protest which may or may not block access is capable of clearly demonstrating its views and what it's opposing. A DDoS conveys no such additional message. The parallel comparison between a DDoS attack and something similar in the meatspace would be to erect a bland and featureless wall around a business and then have one person in city in another country standing on the corner of an intersection yelling about whatever problem the business is apparently

I heard a story about a bunch of truckers who wanted to ride slowly around DC to block up the roads in protest. (I can't think of their names to provide a link). They most certainly considered it free speech despite the fact that the thousands of people behind them on the highway have no idea what's going on. I don't know if they ever went through with it. If they did, would they have been thrown in jail for a decade and fined for all of the financial damage it caused?

A protest is people communicating some kind of a message in a public place. Sometimes it is inconvenient when they block streets, etc. A DDoS on the other hand is like guys in ski masks showing up at your shop, kicking in the doors, running off your customers and not allowing you to do business for as long as they are there.

A protest is people communicating some kind of a message in a public place. Sometimes it is inconvenient when they block streets, etc. A DDoS on the other hand is like guys in ski masks showing up at your shop, kicking in the doors, running off your customers and not allowing you to do business for as long as they are there.

No it's not. And you know it's not, which is why you are posting as an AC.

To follow the analogy, "filling the streets with stuff" is illegal due to it's classification as littering and that effort needs to be undertaken to remove said litter.

Once a DDoS attack is completed (assuming that the sole action taken was DDoS and not defacement or intrusion), there is nothing to "clean up". When you stop, everyone picks up their "stuff" and walks away.

One of the problems with being attacked is that you really do not know the intentions of the attackers until after it is over. There really is no understanding of they are only going to do X unless you have some sort of insight into the attackers.

This is sort of the problem with the travon martin case. His girlfriend says he was only going to get an ass beating but zimmerman didn't know that when he was getting his ass beaten and being told he was going to die. His over reaction to that basically allowed hi

I agree to an extent. However; in one case you actually show up for the protest, in the other case you get a bunch of proxies to show up instead. Had the protest been achieved via the "slashdot" effect, nothing would have came of this. However manipulating machines to amplify your effect should be frowned upon.

Its odd how online activism is treated much differently than that which occurs in meatspace. Many protests occur in real life where access to buildings or simply roads are blocked yet the treatment of the two types protestors is very different.

So you're suggesting that online activists should be tear-gassed, clubbed, and maybe a few of them shot? That doesn't seem very practical.

The difference being that meatspace activism is almost pointless these days. It might get a 30 second mention on the news on a slow day, but otherwise you're just shunted into a "free speech zone", traffic gets routed around the protest and is flat out ignored.

Hacktivism on the other hand, has relatively immediate, noticeable (sometimes very much so) consequences that can either cost an organization money or if nothing else cause embarrassment.

Meatspace protests make you feel good, and are probably amusing to the powers that be. Online, a few people can a real nuisance, which is what activism is trying to do: be a nuisance until a change happens. [sarcasm] We can't have things like that happening in this country. Obviously we have to set an example for these 14 people. [/sarcasm]

The difference being that meatspace activism is almost pointless these days.

That mostly because most meatspace activism is like the Occupy 'Movement' - disorganized, and without a point, a plan, or an agenda. (In the rare occasions when it's not, it's a one-time affair that isn't really connected to anything else and won't have any follow on. The difference is moot really.)

And this is a real problem - because it leads people to observe those fools and assume that because their cargo cult version of activi

But it won't work that way. It's never really worked that way. Making things more illegal doesn't really put more hindrance on what people do compared to just being illegal, else we'd have the whole crack thing wrapped up by now.

"Tough on crime" is a moronic stance that doesn't address why people actually engage in crimes. A hint: very few people breaking the law are thinking rationally about consequences when they do.

... a position which is frightfully naive. Of course making things more illegal is a deterrent. It used to be totally legal to drive with your kids in the back of your truck on the open freeway. It's now more illegal (at least in California) and you don't see (very many) people driving on the freeway with kids in the back of their truck.

All officially recognized crimes are punished with the intent of deterring future crime, and you live in a time and place which ranks as among the most peaceful and civilized periods in all of known history. To suggest that this concept does not work betrays a stunning lack of understanding and respect for all the work put in by the millions of people who worked to establish and maintain the system that provides such domestic peace and tranquility.

Did you actually think that spending 10 years in jail actually compensates the parents and loved ones of a murder victim? Sorry, if they're dead, no amount of punishment will ever bring them back, and until you've personally experienced the loss of a close loved one, you cannot really understand just how devastating such a loss can be.
However, even sociopaths can understand personal injury and suffering even if they lack the ability empathize in any way with their victims.

... a position which is frightfully naive. Of course making things more illegal is a deterrent. It used to be totally legal to drive with your kids in the back of your truck on the open freeway. It's now more illegal (at least in California) and you don't see (very many) people driving on the freeway with kids in the back of their truck.

All officially recognized crimes are punished with the intent of deterring future crime, and you live in a time and place which ranks as among the most peaceful and civilized periods in all of known history. To suggest that this concept does not work betrays a stunning lack of understanding and respect for all the work put in by the millions of people who worked to establish and maintain the system that provides such domestic peace and tranquility.

Did you actually think that spending 10 years in jail actually compensates the parents and loved ones of a murder victim? Sorry, if they're dead, no amount of punishment will ever bring them back, and until you've personally experienced the loss of a close loved one, you cannot really understand just how devastating such a loss can be.

However, even sociopaths can understand personal injury and suffering even if they lack the ability empathize in any way with their victims.

You call me naive repeatedly, but I'm basing my position on the fact that it's been known for decades that it's measurably untrue [nytimes.com] that longer sentences do anything.

In day to day free life, the difference between 5 years of captivity and 50 can seem pretty damn abstract. Maybe once you're there, in a cell, it's meaningful, but not to the thought processes of a would-be criminal. Your own naivety and need for petty revenge blinds you to the fact that crime is an objective, measurable problem, and can have o

This makes perfect sense. If an angry mob smashes up some shops fronts, but police only catch 14 people you wouldn't charge them with the total damage of the entire mob, as well as the cost of upgrading security to protect against an angry mob in the future. You would charge each individual according to the damage they actually did.
In this case a single person using LOIC doesn't really do any significant damage at all. You could charge them a 1/1000 of the cost of overtime for personal to deal with the attack, and the extra bandwidth they caused the company, but its madness to hold them responsible for the damage done by the entire swarm.
In a cynical POV, this is also an excellent way for PayPall to remove themselves as a target when the PayPal14 are found guility.

If an angry mob smashes up some shops fronts, but police only catch 14 people you wouldn't charge them with the total damage of the entire mob, as well as the cost of upgrading security to protect against an angry mob in the future. You would charge each individual according to the damage they actually did.

No, it's not just about making the target of the attack whole, there is also a punitive aspect in order to discourage others in the future. The actual amounts in this case do seem excessive, but it has to hurt enough that future "anonymous cowards" seriously think twice before jumping in. Part of the mob mentality is thinking "there are so many of us, there's no way they'll catch me" and this shows that's just not true.

Look, I dislike PayPal as much as anyone but vigilante mob justice isn't the answer and t

because if they all end up with 15 year sentences, people might start asking why we're such a sensitive target thats so dangerous to attack. it might draw more attention to our business practices and confidential information. our own employees might become sympathetic, nay, might start 'leaking' information on how we skirt banking regulations and use our market dominance to arbitrarily freeze funds or hold 30% of transactions for 90 days, or how we refuse to pay bug bounties and lock out entire countries

because if they all end up with 15 year sentences, people might start asking why we're such a sensitive target thats so dangerous to attack. it might draw more attention to our business practices and confidential information. our own employees might become sympathetic, nay, might start 'leaking' information on how we skirt banking regulations and use our market dominance to arbitrarily freeze funds or hold 30% of transactions for 90 days, or how we refuse to pay bug bounties and lock out entire countries without explanation.

so if we could just stop over-reacting to this silly hacktivism and just go about our business that would be swell.

The objective here isn't to punish anyone proportionally to the crimes they committed. The whole point of online activists having the book thrown at them is to deter future activists.

You are right that this is a deterrence. I posted yesterday a much longer comment about this in the thread about the guy who got a huge fine and 2 years probation for participating for a very short time in the DOS. Basically US law allows for punitive damages in some cases and the system allows them to be exorbitant and perhaps even illogical. Sometimes these get reduced on appeal, but not always. The point is indeed to provide a deterrent against others doing the same thing in the future. It's not at all about fairness. If you are American and don't like it, work to change the system (probably not possible though) or complain all you want, but it's not going away. If you're not American, you can complain all you want about it but you can't change it.

I mentioned this in my post yesterday too, but some of it is that jury members in general know little about technology and some are almost Luddites. Judges and lawyers in general also know little about technology. This leads to prosecutors and judges overreacting against things they don't understand very well and juries overreacting to punish people due to not really understanding what they did.

This leads to prosecutors and judges overreacting against things they don't understand very well and juries overreacting to punish people due to not really understanding what they did.

I don't assume that the prosecutors and judges are overreacting because they don't understand technology. I think they understand completely that it is in the corporation's best interests to have disproportionate penalties for online activism compared to meatspace activism. They already lost the fight in meatspace, protests get a lot of coverage and it is really bad PR to see police pepper spraying protesters. I think they have the clear goal of establishing that online protests/activism will not be tolera

The objective here isn't to punish anyone proportionally to the crimes they committed. The whole point of online activists having the book thrown at them is to deter future activists.

The corporations already feel like meatspace activists have too many rights, so it is imperative to set a precedent that online activism will be dealt with harshly.

Have we established the Anonymous are activists? They call themselves activists, but their actions are those of a bunch of asshats who believed that if enough asshats do their asshattery in unison none of them will be caught and punished. I have a hard time telling the difference between Anonymous and 4chan.

Just because they do things you don't agree with doesn't mean they aren't activists. Being an activist, criminal, and "asshat" are not mutually exclusive and depending on your viewpoint a lot of activists are asshats. I'm sure that in the US there were some white southerners who considered MLK Jr. to be an asshat. Lot's of people consider Greenpeace and PETA to be both activists and asshats. Lots of people consider the ACLU to be activists and asshats. Lots of people dont.

Just because they do things you don't agree with doesn't mean they aren't activists. Being an activist, criminal, and "asshat" are not mutually exclusive and depending on your viewpoint a lot of activists are asshats. I'm sure that in the US there were some white southerners who considered MLK Jr. to be an asshat. Lot's of people consider Greenpeace and PETA to be both activists and asshats. Lots of people consider the ACLU to be activists and asshats. Lots of people dont.

How many of those you named in comparison specifically and exclusively use only illegal methods to attempt to further their causes?

Then the 14 would only have to pay a small fine and admit no wrongdoing. Really, what they should have done was form their own bank if they wanted to steal money. I mean, look at Paypal, and they aren't even a bank!

Criminal punishment is not shared. If 10 people are convicted of a crime, they don't each get 1/10th the sentence that a single individual would. Just because some perpetrators go unpunished, doesn't meant that the convicted are doing their time. Likewise, the money is a fine, not recompensation, so the value isn't determined by distributing restitution across all of the convicted.

How likely are you to get caught for speeding? I mean, most people drive over the speed limit. The average traffic speed here is 15 MPH over on the highway (outside of rush hour). I mean yes, you will get nabbed eventually when they need to make numbers, but they get so few at a time that the chanced of getting caught is so low, it garauntees targerts. They have no incentive to enforce it more widely (not the least of which since there would be no benefit)

Yup, and the favorite counter example of mine is lojack. Even a smalish increase in lojack use in an area (if I remember right, around 1%) was shown to correlate to a 20% drop in car thefts in that area.

Nobody wants to get punished, but many more people will take a small chance at a large punishment than will take a large chance at a small one. which makes sense. A small chance at a large punishment is a large chance at nothing but benefit.

In my area, they've made it mandatory for building owners to clean the graffiti, or they get a fine. Unless of course it's on electrical/phone utility boxes, bus shelters, or other common targets. Graffiti seems to stick around on these things, and the local utility company never has to clean them. Small business owners end up being the ones getting fined.

To follow the analogy, how is this different from setting up a picket line out front of someone's front door to protest some of the things that said company is doing that you find morally objectionable?

Should the physical analog of this very same situation also be subject to a 5.5 million dollar fine?

Shit comparison. One can simply walk past or through a picket line and into the buisness and have your transaction. I have done it before...and would do it again.

Want to protest, hold a sign, get some light cardio marching in a circle chanting catchly slogans? Go ahead!
Want to get in my way for doing buisness? Then fuck you and the horse you rode in on as you are not going to waste my time and money with your "cause."

Because a picket line is a visible display. You motherfuckers move out of the way, you're blocking the customers; annoying them is fine. If picketers physically barre customers from entry to a place of business, they get pepper spray and handcuffs.

They were not physically blocking you from sending http requests to the sight, they were just sending them faster then you can. Its like if to protest McDonalds, protesters lined up and ordered waters. Its annoying and costs money, but if you spend 5.5 million dollars to add a line specifically for water, do the 5 out of 1000 protesters you caught deserve to pay for all of it?

McDonalds can order the picketers off the premises, and they have to wait outside and let customers pass. The act of sending an HTTP request is, on the other hand, actually blocking others from sending requests.

It's different because a picket line can be crossed. Picketing relies on convincing potential customers to choose not to patronize a particular business. A better analogy for a DDOS attack might be deliberately blocking the doors so customers can't get in--for which the business can (and often successfully does) sue for lost income.

This isn't to say that picketing doesn't sometimes get out of hand, or that the penalty currently on the table isn't way too high. To be honest, I always thought that these so

Unless 10 000 people spray paint a town one night. If you catch a few of them (14 ?) and you know they only took a spray can and shot a few seconds (they did almost nothing vs the botnets), would you charge them for cleaning up the whole town ?

You need to complete your analogy. The ones that "only took a spray can and shot a few seconds" were willfully joining into an expansive coordinated attack with the intent to amplify the damage. This wasn't a case of "wrong place at the wrong time", they knew they were joining a larger group. One of Niven's laws... "Never stand next to someone who is throwing shit at an armed man."

There is an easier real world analogy than the one GP picked. If there's a city-wide riot and the police only are able to arrest a few people, do those few people have to pay for all of the damage done during the riot?

It costs virtually nothing to put up a sign and fence and is pretty much standard protocol. If vandalism was so bad in your area that you had to take considerably more action like paying guards, changing site layout etc then vandalism has cost you that money. Society normally puts a premium on punishments/fines etc to account for three (or more) things 1/ the odds of getting caught and 2/ the disproportionate costs crime can cause and 3/ to act as a deterrent.

Lol.. no it does not. But it also does not mean you escaped without costs. Those costs can be reasonable if they just compare similar costs of remedies in similar situations. So lets say that most people only spend 2 million to achieve the same thing if under the same constraints like energeny service instead of contract scheduling and 24 hour monitoring until it is safe from the threat. You can reasonably be expected to be liable for that and possibly more if there was no options reasonably priced.

One of the best approaches to fighting vandalism, especially graffiti is to keep painting over it. We have a building in NYC. Years ago it was constantly defaced with graffiti and the overall paint on the building looked a bit shabby. We had it painted but within a week the graffiti was back and it built up over the next few months. We called the painter who gave us the number of a graffiti removal service. For a monthly fee they would add us to a route and drive by once a week. If they spotted graffiti the

Here's a clear example of someone demanding compliance with a specific way of thinking, and all else being "stupidity" and demanding moderation to comply with their own willfully ignorant perspective. You are the detestable groupthink that no one likes here.

These few are fined for the actions of thousands of individuals.This means that if the detectives did their job better and caught more individuals, each individuals' fines would be lower.Why should these individuals be punished for a sloppy job done by others?They should be punished, they should pay a fine and they should pay damages. But they shouldn't have to pay damage caused by others.

They shouldn't have to pay for all the damage caused by others however I think the case can be made for considering the damage caused by the whole group when punishing individuals involved. On a basic level a DDoS goes from ineffective to partially effective to effective when more people take part and on another level their involvement helped build up the critical mass behind the attack.

I don't agree with them, I don't like many many things about anonymous etc but punishing 14 comparatively minor parts of a DDoS attack as though they caused all the damage isn't moderate, responsible or effective. There is a difference between giving them a punishment that has a deterrent affect and this nonsense.

The issue, imo, is that an embarrassingly small number of people are being prosecuted for this (surely hundreds, or thousands, of the perpetrators existed in the US or countries that would coope

It looks like Paypal is saying, "This won't decrease our business risk, it won't impact the actual source of the problem, and these people aren't responsible for or capable of the damage they did. On their own, they would annoy the network security guys; most of the network guys wouldn't notice them. This isn't relevant to us; except that if these kids get fucking crushed for this people we can't fight will be pissed at us and kick us more! We need to stop this to reduce our risk of suffering mob justic

I still think it is a stretch to characterize DDOS as computer hacking or whatever other legal term they are using that puts it on par with spreading malicious software and other things that involve defeating security measures and stealing data. Technically, these DDOS relies on the workings of the internet and if a company relies on the workings of the internet for its business, then angry DDOSers, are part of the cost of doing business on the internet. The government should not be involved in deciding wha

You think *she* was bad?? Her successor, John Donahoe is MUCH MUCH worse.. I'd sold on eBay since around 1998, and Meg's tenure was positively refreshing compared to Donahoes.. Her mantra was "eBay is just a venue", and pretty much stuck to it.. With Donahoe, its ALL about the buyers now, they can do no wrong.. He seems to convieniently forget that it is the SELLERS who pay the ever-growing fees that keep eBay running. The sellers, who stick around, now have a not-so-silent partner in their business, buttin